in swift_iam_role/swift_iam_role.py [0:0]
def create_swift_instance_operator_role(self, instance_ids):
"""create swift instance operator role"""
swift_instance_operator_role = \
_iam.Role(self, "SWIFTInstanceOperatorRole",
role_name="SWIFTInstanceOperatorRole",
assumed_by=_iam.AccountPrincipal(account_id=self.account)
.with_conditions({"Bool": {"aws:MultiFactorAuthPresent": "true"}})
)
instances_resource = []
if instance_ids is not None:
for instance_id in instance_ids:
instances_resource.append(
"arn:aws:ec2:" + self.region + ":" + self.account + ":instance/" + instance_id)
ssm_doc_resource = "arn:aws:ssm:" + self.region + \
":" + self.account + ":document/SSM-SessionManagerRunShell"
statements = [
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW, actions=["ssm:StartSession", "ssm:SendCommand"],
resources=[ssm_doc_resource] + instances_resource,
conditions={"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"}}),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
actions=["ssm:DescribeSessions", "ssm:GetConnectionStatus",
"ssm:DescribeInstanceInformation",
"ssm:DescribeInstanceProperties", "ec2:DescribeInstances"],
resources=["*"]),
_iam.PolicyStatement(
effect=_iam.Effect.ALLOW,
actions=["ssm:TerminateSession"],
resources=[
"arn:aws:ssm:*:*:session/${aws:username}-*"])]
_iam.Policy(
self, "SSMInstanceAccessPolicy", policy_name="SSMInstanceAccessPolicy",
roles=[swift_instance_operator_role], statements=statements,
force=True)